There are a growing number of networked users (clients). In addition, there are a growing number of network applications (servers) that provide an array of services for these users. In such an environment, data security is often a concern. Users continually access servers, and servers respond to requests arriving via the network.
To help manage security concerns, many Internet or other network systems implement security policies, wherein a policy server, for example, controls security for a domain according to the rules in its policy. In this fashion, the policy server is able to address the security needs for the nodes in the domain by enforcing the rules in the policy.
Typical policy specification models require explicit specification of the network elements in a given security domain. The explicit specification may include the host names or Internet Protocol (IP) addresses of the network elements, and such information often needs to be built into the policy model up front. If the name or IP address of a given network element changes over time (such as when the Dynamic Host Configuration Protocol (DHCP) is used), or if network elements are added or deleted from a domain, the policy model may need to be manually updated, and the information pointed to by each of the network elements may also need to change. This requires additional effort, and introduces more potential for error and inconsistency. In addition, the policy model in such implementations is often dependent on the network topology. For example, if the policy uses hard-coded IP addresses, the policy must frequently change to remain consistent with the IP address changes.
For the reasons stated above, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need for the present invention.